If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

View Poll Results: Do you have IT Disaster Recovery/Business Continuity planning?

IT Disaster Planning & Business Continuity

This is a new forum to discuss what I consider to be a rather ignored aspect of IT security.

Ask yourself: "what would happen if we lost our computing facility?"

You know, a hurricane, typhoon, flood, fire, and so on. It doesn't really matter what sector you are in: school/college, .gov, .mil, .com, .net................

As I have always seen things there are two facets to this:

1. Recovering from an IT specific disaster.
2. Business (organisational) continuity in the face of of a more global disaster.

So, I thought I would post a poll to see what sort of level of penetration and awareness these concepts have.

What I am interested in is basically:

1. Do you have an IT disaster recovery plan?
2. Do you have a global Business Continuity plan?
3. Are they formally documented and disseminated?
4. How often do you test it?
5. Does it involve all areas/departments of your organisation?
6. Has everyone been trained, and do they know what to do?
7. Does it have a budget and contingency reserve fund?

This is a new discussion forum, where I hope that we can share ideas and experiences; so please be patient (and contributive ) whilst it takes shape.

Thanks,

Johnno

EDIT: Multiple choices are allowed in the above poll

Please note, I have voted for two options because I have multiple clients, some of whom cannot have a global policy........ if your hotel or shop burns down, you cannot expect to have alternative facilities on tap?

Last edited by nihil; November 17th, 2007 at 12:22 PM.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I work as an IT contractor, and my previous client was an international business, with the full cold and hot rooms set up and ready around the planet. And the war rooms were used monthly to keep the policy fresh in everyones mind .........

Right now, I'm with the UK NHS, and their disaster recovery plans appear to be a lot less in scale, restricted to continual backups, with off site storage.
So, yeah, it does matter who you are, and what the implications of loss would mean, that determines just how much you need to spend to ensure continuity ...............

It also explains why I haven't put a vote up, as I do not actually work for them on a permanent basis

Last edited by foxyloxley; November 18th, 2007 at 10:56 AM.

55 - I'm fiftyfeckinfive and STILL no wiser,
OLDER yes
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone

Yes, daily backup and offsite storage is pretty popular with my lot as well, especially the professionals (accountants, lawyers) who tend to have more than one office reasonably close.

For the pubs, restaurants, hotels and guest houses this is really all they can do as a disaster would generally mean a total loss of their business.

Also, for these small outfits their hardware can be replaced within hours.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Some of our clients do have implementations of BCM
standards, in particular PAS56/BS 25999, in accordance with
ISO/IEC 17799 (ISO/IEC 27002 in the new 27000 series).

Main motivation of these clients certainly is compliance with SOX
and/or Basel II.

These BCM standards exactly try to minimize risks of distruptions caused
by minor incidents or major disasters, like hurricane, earthquakes, etc.
Part 1 of BS 25999 _is_ a code of practice and thus applicable even by SMB's.
Nevertheless, I am wondering which SMB's really had a look at this code
of practice let alone tried to implement them. Internally, we haven't, we
do have a DRM and BCM though.

I haven't said much substantial yet, but I think the effort done
by good people should not be ignored - there is no need to re-invent
the wheel

As per your 7 questions. I personally think and it is my experience,
that the points mostly ignored are 4 und 6:

4 - Externals usually audit that the implementation is compliant
with the standard/documentation. Whether it works at all in the specific
case rarely is tested!

6 - It all comes down the the people. Right before and shortly after
the audit, usually the they have an idea of what to do. Period...

Would be nice to have catch participating in this discussion

Cheers

If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)

Thanks for your contribution. The additional concept that you have added I would look at as being sort of the "interface with regulatory compliance, industry standards" and possibly even insurance provider requirements.

I too have a certain cynicism regarding these "Standards"............. it is the same with BS, ISO and ASA.............. like I have processes that are BS9000 compliant................ all it says is that I have something documented and implemented.

It could be the most foolish and inefficient on Earth, but I would still get my certificate.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I agree it is all well and good to have iso compliant procedures but they need to be tested once in a while and most definatly updated at least once a year.

\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)

Nihil, I was hoping that my cynicism was not so obvious I really do
appreciate the work of a few smart people who write together formal
considerations, sometimes even with reasonably applicable code of practices.
However, in the end, it is as you say: you have to document something,
which you do implement (it is not always like that of course, but take
ISO 9001 as an illustrative example).

I just came across another issue in a BCM-"concept". Standards provide a lot
of helpful considerations und help to reduce forgetting obvious elements.
Without them, it happens that external dependencies simply gets forgotten:

Thought has been given to every process within a company - except external
providers, such as the email-provider (for god's sake). So if the
email-provider does not have a reasonable DR and BCM, your BCM is flawed...
this happens...

Cheers

If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)

Hi, am interested on this disaster recovery planning and i wanna know the basics of it and how to document those planning. i wanted to propose this kind of planning but i dont have any idea where to start. can anyone point at the right directions?

As stated ..depending on the business you are recovering ...will determine your strategy to recover it.

Also the strategy will greatly depend on the type of "disaster".

Off site storage of data is required by most insurance companies here in Canada....again depending on the business..I work mostly for manufacturers and retail stores....and am responsible for the recovery of data and systems.

A few years ago we had a flood where the retail stores lost a huge amount of inventory and there was water damage interior of the stores....the recovery of that was based on insurance and government funding.